I've had no success in trying to find out why the following is occurring
during every SMTP message delivery - extract from Exim log:
2022-03-11 12:58:02 no IP address found for host
permission.impactdatastamp.com (during SMTP connection from
hh.schlittermann.de [213.128.132.49])
2022-03-11 13:00:32 no IP address found for host
permission.impactdatastamp.com (during SMTP connection from
hh.schlittermann.de [213.128.132.49])
2022-03-11 13:03:26 no IP address found for host
permission.impactdatastamp.com (during SMTP connection from
mail135.sea101.rsgsv.net [148.105.15.135])
2022-03-11 13:04:08 no IP address found for host
permission.impactdatastamp.com (during SMTP connection from
mail116.atl261.mcdlv.net [198.2.142.116])
Looking at the DNS name server logs, the lookup is being performed as an
internal lookup:
11-Mar-2022 13:00:32.420 client @0x7fb9840697a0 127.0.0.1#34558
(permission.impactdatastamp.com): query: permission.impactdatastamp.com
IN A + (127.0.0.1)
11-Mar-2022 13:00:32.420 client @0x7fb97c090040 127.0.0.1#43036
(permission.impactdatastamp.com.crorie.com): query:
permission.impactdatastamp.com.crorie.com IN A + (127.0.0.1)
11-Mar-2022 13:03:26.132 client @0x7fb97c040160 127.0.0.1#44920
(permission.impactdatastamp.com): query: permission.impactdatastamp.com
IN A + (127.0.0.1)
11-Mar-2022 13:03:26.132 client @0x7fb9840697a0 127.0.0.1#57632
(permission.impactdatastamp.com.crorie.com): query:
permission.impactdatastamp.com.crorie.com IN A + (127.0.0.1)
11-Mar-2022 13:04:08.438 client @0x7fb984021990 127.0.0.1#48885
(permission.impactdatastamp.com): query: permission.impactdatastamp.com
IN A + (127.0.0.1)
11-Mar-2022 13:04:08.438 client @0x7fb984021990 127.0.0.1#59037
(permission.impactdatastamp.com.crorie.com): query:
permission.impactdatastamp.com.crorie.com IN A + (127.0.0.1)
That domain hasn't been active for some considerable while and as part
of my investigation I am searching the entire server for this text
string with:
grep -rwl permission.impactdatastamp.com /
Interestingly, this has turned up old Exim log records of a bounce
message from this server just over three years ago /(I'm a log file
hoarder!)/:
2019-11-06 07:42:04 Received from bounces@???
H=permission.impactdatastamp.com [51.254.178.113] P=esmtp S=16017
id=2818260stD2xT27d6f682602529bb459665e5a2d450472818260@???
2019-11-06 07:42:10 [redacted inbound e-mail address]: amavis transport
succeeded
2019-11-06 07:42:10 Received from bounces@???
H=localhost [127.0.0.1] P=esmtp S=16555
id=2818260stD2xT27d6f682602529bb459665e5a2d450472818260@???
2019-11-06 07:42:10 [redacted inbound e-mail address]: local_delivery
transport succeeded
2019-11-06 07:42:10 [redacted inbound e-mail address]: children all complete
There are two message log entries because I use amavis to divert inbound
messages for scanning by clamd. I've no reason to believe that there has
been any compromise of the mail server.
--
footer
/NB - The e-mail address from which this message is sent has been
created to detect the inadvertent leakage of the writer's personal data
to third parties and to provide the opportunity to deal with this
situation if it occurs: *no adverse conclusion should be inferred from
its use for this purpose.*/
_________________________________________________________________
This communication is intended for the addressee only.
Please let the sender know by e-mail if you receive
this in error. Thank-you for your co-operation.
If you have not imported CAcert's root certificate, please go to here
<
https://www.cacert.org/index.php?id=3>
Root certificate fingerprint (SHA256) = 07ED BD82 4A49 88CF EF42 15DA
20D4 8C2B 41D7 1529 D7C9 00F5 7092 6F27 7CC2 30C5
Root certificate fingerprint (SHA1) = DDFC DA54 1E75 77AD DCA8 7E88 27A9
8A50 6032 52A5
